Re: AW: Question about the manager acccount for the openldap-database
by Quanah Gibson-Mount
--On Friday, January 09, 2009 8:43 AM +0100 Oliver Steffens
<osteffens(a)gc-heat.de> wrote:
> Thank you for your quick reply. We will check this solution.
Please keep replies on the list.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
14 years, 8 months
Need information
by Buddhadeb Bhakta
Hi All,
I would like to use the below C functions which is inside ldap.h header file.
ldap_init()
ldap_simple_bind_s()
ldap_search_s()
ldap_unbind()
Could anyone please let me know to use these functions, what package should I install? I am using HP-UX B.11.00 version of OS.
Please advise.
Thanks
Buddhadeb
14 years, 8 months
OpenLDAP as a 'generic' hierarchical data store
by Lorenzo Pastrana
Hello list,
I was wondering lately if I could use OpenLDAP as a 'generic'
hierarchical data store for the application I'm planning, and tried to
get any hint about feasibility. I found a blog post about OpenDS
(http://blogs.sun.com/treydrake/entry/ldap_vs_relational_database),
where the author states about Read/write performance parity ...
That was the kind of news I just wanted to hear because I'm thinking
about a persistence back-end, not just an almost static dataset, but I'm
in a genuine PHP environment and Java is not an option; so I naturally
tried to get some infos regarding OpenLDAP performance but found nothing
recent, and the references I could find are quite discouraging on that
matter ...
However since 4 to 8 years have passed since the tests I've been
reading, I'm still in the hope of a 'a pleasant surprise' as the sun guy
sayz ...
Does someone has an experience to share about that kind of (mis-)usage
of OpenLDAP ?
Any pointers to some good and recent reference on the matter are of
course well come.
Thanks in advance for any information.
LP
Lorenzo Pastrana - Happy End Vision
--------------------------
Design web
Conception multimédia
Communication visuelle et édition
--------------------------
Tél. : 01 42 47 83 09
Fax : 01 47 70 70 19
E-mail : lorenzo.pastrana(a)happyend.fr
14 years, 8 months
Question about the manager acccount for the openldap-database
by Oliver Steffens
Hi together,
Unfortunately the current (md5-encrypted) password is lost...
Is it possible to change the "rootpw" in the "slapd.conf" from an md5-one
into a new plain-text one without any problems respectively additional
efforts?
Thank you for your help in advance!
Best regards
Oliver Steffens
14 years, 8 months
LDAP Host access best practices
by Mathew Rowley
I am fairly new to LDAP in general, so please excuse any syntax errors. I
have a radius proxy which will query an LDAP data store to determine if a
user has access to a host. I want to reuse the concept of how users are
defined:
Ou=users -> defines all users
Ou=groups -> defines all groups
Ou=groups,cn=groupname -> links the users to the group
With hosts. My problem is that I cannot find any specific formal definition
on how this is done (in terms of what each subtree¹s objectClass should be).
Has anyone done this, or can point me in the right direction?
All the user/groups based stuff is based on posixGroup, which im pretty sure
is unix/linux concept can this be used for what I am trying to do with
hosts?
Basic architecutre:
Ou=hosts -> defines a host
Ou=hostGroups -> defines a group name (organizationlUnit?)
Ou=hostGroups,cn=hostGroupName -> this will link what hosts are in the group
Thanks for any help.
--
MAT
14 years, 8 months
replication on 2.4.13
by jakjr
Hello,
I'm testing a multimaster config on openldap 2.4.13.
I have 2 servers. Adds and Modifies are ok on both.
But, when I deleted 300 entries, with server B down and this server goes up
again, those entries deleted from server A are no replicated. Server B still
keeping those entries.
This is a bug or a config error.
This is my config:
ServerID XXX
syncrepl rid=001
provider=ldap://<IP>
type=refreshAndPersist
retry="5 5 10 +"
searchbase="dc=br"
bindmethod=simple
binddn="cn=admin,dc=br"
credentials=**
schemachecking=off
mirrormode on
overlay syncprov
syncprov-checkpoint 100 1
syncprov-reloadhint TRUE
syncprov-sessionlog 100
Thanks
14 years, 8 months
authenticate a user to LDAP server using GSS-SPNEGO and Kerberos
by Deepika Srivastava
Hi
I have to authenticate a user to LDAP server using GSS-SPNEGO and Kerberos
as base mechanism.
I have successfully generated the TGT.
Now I want to use ldap_sasl_bind_s() function with "GSS-SPNEGO" as
mechanism.
I am not sure of the parameters to pass.
I read on
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/ap...
in case of Kerberos,we can use the above mentioned ticket if we have
the TGT.Just we need to pass 'cred' and 'dn' as NULL and the functional will
automatically take care of the rest of the mechanism under covers.
ldap_sasl_bind_s (g_hLDAP,"", "GSS-SPNEGO" ,NULL,NULL,NULL, &servercredp )
This is how I am calling the function but is throwing LDAP_PARAM_ERROR.
I am not sure of the reason. Can anyone help me on the reason?
Also i wanted to know that do we need to any configurations at the LDAP
server end to do enable kerberos authentication.
Also do i need to call krb5_mk_req() before calling ldap_sasl_bind_s() or
can i directly call ldap_sasl_bind_s()?
Can anyone help me on the flow of API for achieving complete authentication
after achieving the kerberos ticket.
.
Any thoughts?
14 years, 8 months
ldap.conf location help
by Sankhadip Sengupta
Hi,
I am trying to make a client which will query users via an LDAP server.Now in the code I use TLS to encrypt the session.
Using TLS , I face a problem that the client is unable to verify the server certificate.
Connect error(-11) ssl error(1490086).
When I use ldapsearch to do that it works fine.I have LDAP server on the same machine and running via loopback.
I figured this problem is due to location of ldap.conf file as when I changed the entry of TLS_CACERT in the ldap.conf file (commented it out) the ldapsearch also failed which shows it is unable to locate the certificate.
Is there any way to make sure that the client tools always find the correct ldap.conf file?
Please help.
Sankhadip
14 years, 8 months
Question about ldap filter
by Jason Voorhees
Hi there:
I'm trying to understand how ldap filters work. Based on this simple
logic expression:
EXPR_1 (or) EXPR_2
if EXPR1 returns TRUE, will slapd still try to evaluate EXPR2? or will
slapd evaluate EXPR2 anyway even if EXPR_1 is true?
I think that while the ldap filter is bigger then performance is worse,
right?
could somebody explain me a little about this logic of evaluation in
ldap filters?
Thanks
14 years, 8 months
acl to allow access to specific parts of the tree only for a particular dn
by ben thielsen
i'd like to prevent the dn "cn=foo, ou=services, ou=accounts, dc=example, dc=com" from accessing any part of the tree outside of "ou=test, ou=other,
ou=users, ou=accounts, dc=example, dc=com" and "ou=test, ou=other, ou=users, ou=groups, dc=example, dc=com", and would like that dn to have only read
access to those two subtrees - the exception being that that user should of course be able/required to authenticate.
i'm having trouble constructing a working acl that accomplishes this.
one example attempt:
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.base=""
by * read
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by * none
olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com"
by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read
by self write
by users read
by * none
olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=groups,dc=ltn,dc=lvc,dc=com"
by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read
by self write
by users read
by * none
olcAccess: to *
by self write
by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" none
by users read
by * none
that particular example gets me:
>ldapsearch -uxLLLWP 3 -H 'ldaps://ldap.ltn.lvc.com' -D 'cn=montage_test, ou=services, ou=accounts, dc=ltn, dc=lvc, dc=com' -b 'dc=ltn, dc=lvc,
dc=com' "(objectclass=groupofnames)" dn | grep -i 'dn:'
Enter LDAP Password:
No such object (32)
what am i missing?
thanks
-ben
14 years, 8 months
